Prevent circumventing dansguardian with pf
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to 3128?
Thanks and take care,
Allen
--8--cut here--8--
ext_if=rl0
int_if=xl0
int_net=192.168.0.0/24
proxy_server = 127.0.0.1
tcp_services={ 113 }
icmp_types=echoreq
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
rdr on $int_if inet proto tcp
from $int_net
to any port www - $proxy_server port 8080
block in
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $ext_if inet proto tcp
from any
to ($ext_if) port $tcp_services flags S/SA keep state
pass on $int_if
pass out keep state
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Blocking web content
On 4/18/07, Reyk Floeter [EMAIL PROTECTED] wrote: On Tue, Apr 17, 2007 at 05:34:48PM -0700, [EMAIL PROTECTED] wrote: I run an openbsd firewall. I want to block certain sites either by IP address or by domain name. How do I get more information on how to set this up? Thanks in advance. I am using Dansguardian with transparent setup (tinyproxy) at home to successfully block sites. However, the performance is not equivalent as without. How do I figure out/tweak to get it working better? What have others seen performance-wise using Dansguardian, transparent proxies in OpenBSD? Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: FW: technical help
--- Darrin Chandler [EMAIL PROTECTED] wrote: ... Here is a good place, and there's also a pf mailing list as well (pf@benzedrine.cx). ... Is this mailing list still active? I subscribed about a month ago and have yet to receive a single e-mail. The archives show no messages after Nov '05. Thanks, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: developing a backup strategy
[snip] My favorite solution is rsnapshot in ports. It beats rsync and scp because not only does it allow you to specify what and when to backup, but it uses hard links. What's that got to do with anything? Well it rsyncs everything on the first backup, and only the differences there after. But it makes every backup look like a full backup (every file) because it hard-links the unchanged stuff into the latest backup dir. So you get a complete backup dir every time sans lots of file transfers and space taken up on the backup storage box. This guy gives a great explanation and some bash scripts to do just that: http://www.mikerubel.org/computers/rsync_snapshots/ I believe he also refers to rsnapshot as being a more polished version of what he outlines. Very interesting and easy read. Take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
SOLVED - caching DNS server, pf, dhcp, and tinyproxy
Dear All, Everything is working now: caching DNS server, pf, dhcp, and tinyproxy. For the record, these really were my friends: 1. pfctl -g -s rules | grep '^@' 2. tinyproxy compiled with --enable-debug 3. this list (awe shucks!) Tinyproxy.conf ended up being the culprit but not without a little help from me! :^) The first was blindly following directions to set 'User root' and 'Group root' in tinyproxy.conf. However, there is no group 'root!' I'm not sure what the implications of setting 'User root' are yet. But it works. The second was a typo in tinyproxy.conf. Based on my dhcp settings, 'Allow 192.168.0.0/25' should have been 'Allow 192.168.0.0/24' Kudos to everyone and their suggestions. Kind Regards, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: ftp problems with OpenBSD 3.9
I would ask: does it still work under 3.8? I'm not so sure 3.9 is the culprit. MS security updates hose this kind of stuff all the time (at least for me). Take care, Allen --- Tim [EMAIL PROTECTED] wrote: I may be beat up for asking this question, but I'll endure it if it leads to an answer. In the past, I've setup OpenBSD 3.8 ftpd servers that my users access using Microsoft web folders. Everything works fine. A user double clicks on the web folder and the contents of the ftp folder pops up right away. Microsoft web folders is a way of creating a folder to access an ftp server but make it look like a regular Windows explorer folder. It is available by default in Microsoft 2000 and XP. Now I've installed a couple of OpenBSD 3.9 ftpd servers which are configure exactly like the OpenBSD 3.8 servers. But when a user double-clicks on a web folder, a error message pops up saying that login failed. At this point I click login as and click the okay button because the username and password is saved already (this is on the client-side). This results in a successful login. So my question is, has there been a change in OpenBSD 3.9 from 3.8 that caused ftp authentication that worked fine in 3.8 to not work in 3.9? Why am I doing this setup? Our company buys big copier machines that have scanning capabilities. In order to use the scanning capabilities, the copier needs to send the scans to a server. I can setup a Microsoft file server or I can setup a OpenBSD ftp server. So for maintenance, security, cost and licensing administration reasons, I chose the OpenBSD ftp server option. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Transparent Tinyproxy and PF
Good morning, I am having problems getting tinyproxy 1.6.3 to run transparently with pf. I recompiled/reinstalled tinyproxy with --enable-transparent-proxy and restarted my system. I figured the key is to start simple and build from there. So, I set up the most simplistic pf ruleset: pass everything and log all traffic going in and out of the firewall. int_if=xl0 ext_if=rl0 set loginterface $int_if nat on $ext_if from !($ext_if) - ($ext_if:0) rdr on $int_if inet proto tcp from $int_net to any \ port www - 127.0.0.1 port 3128 pass in log all keep state pass out log all keep state Here is what happens: 1. As it stands, No internal clients can surf the internet. 2. If I comment out the rdr, my internal clients can surf the internet. 3. Leave rdr commented out, set internal browsers to use firewall addr plus port 3128 as proxy, my internal clients can surf the internet. All this would suggest that tinyproxy is not acting as a transparent proxy. But I'm not sure what to do next to figure it all out. Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Transparent Tinyproxy and PF
--- Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/06/12 04:20, Allen Theobald wrote: I recompiled/reinstalled tinyproxy with --enable-transparent-proxy and restarted my system. Double-check you're running the new binary...ports/packages might not put files in the same place as the original distribution, I don't know if that's relevant to you? Thanks for the suggestion. I double-checked and I am running the correct binary. Are you testing from a web browser? If not, make sure you supply HOST: headers when testing. Tinyproxy doesn't know how to use /dev/pf to fetch the original destination address. I am testing from a browser only. The 'rdr' is causes the browser to get 'access denied' messages. rdr on $int_if inet proto tcp from $int_net to any \ port www - 127.0.0.1 port 3128 Looks ok. I will tcpdump -netti pflog0, see what it says and report back. Take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Package configurations
Hello! For installing a package how can I tell what the configure script (./configure) or command line arguments to the build were? Take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
squid and pf and dansguardian
Greetings, I get transparent proxying with squid and pf. I get dansguardian and pf. What I don't get is squid, dansguardian, and pf. pf.conf fragment: int_if=gem0 ext_if=kue0 # redirect to squid rdr on $int_if inet proto tcp from any to any \ port www - 127.0.0.1 port 3128 ## Allow the redirected connections to pass. pass in on $int_if inet proto tcp from any to 127.0.0.1 \ port 3128 keep state ## Also, the proxy must be able to establish outgoing ## connections to external web servers. pass out on $ext_if inet proto tcp from any to any \ port www keep state pass quick on $int_if But now I want to put dansguardian on. It listens on 8080, uses proxy port 3128. How do these rules change? I think I change 3128 to 8080 in the above rules. But what happens to 3128? Do I still need a 'pass in' rule for 3128? Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
PF, DNS, and internal network -- solved
Greetings and thank you all for your replies. Thanks to all your suggestions I finally got it going with a caching DNS server. I understand this particular approach and am grateful to have it working. Being somehwat of a geek I am not content with merely getting it working, though! :^) Now I need to understand why a DNS caching server was necessary. If anyone can shed some practical/theoretical knowledge as to why pinging www.google.com with this setup couldn't reach the internal network: Set /etc/sysctl.conf: net.inet.ip.forwarding=1 Set /etc/rc.conf: pf=YES Set /etc/pf.conf: # Translation nat on $ext_if from !($ext_if) to any - ($ext_if:0) # Unfiltered pass in log all keep state pass out log all keep state I'd be much obliged! Oh! And all the internal clients point their gateway and dns to the internal interface side of the firewall. Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: PF, DNS, and internal network -- solved -- nevermind
In case anyone was going to answer this. :^) Forget this followup. In my rush to get an answer I didn't actually think about what I was asking at the end (thanks to Jeff Quast for pointing this out). Take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
PF, DNS, and internal network
Greetings everyone! This question has to do with PF and DNS from my internal network to my ISP. Here is what I have done: Set /etc/sysctl.conf net.inet.ip.forwarding=1 Set /etc/rc.conf pf=YES Used the pf.conf file from the FAQ (http://www.openbsd.org/faq/pf/example1.html). Except my internal is xl0 and my external is rl0. rl0 gets its IP dynamically. My network looks exactly like the one in the FAQ (http://www.openbsd.org/faq/pf/example1.html). I can ping www.google.com from the firewall. But I cannot ping www.google.com from any computers on the internal network. First, does the pf.conf in the FAQ route DNS requests from the internal network? Second, if not would someone suggest a rule to accomplish that, so that DNS can be handled by my ISP? I've tried a couple of rdr/pass combinations. But no luck. Hell, I'm not even sure any rdr/pass combinations are requireddoesn't seem like it. Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
PF, DNS, and internal network
Greetings everyone! Apologies in advance if this came through already. This question has to do with PF and DNS from my internal network to my ISP. Here is what I have done: Set /etc/sysctl.conf net.inet.ip.forwarding=1 Set /etc/rc.conf pf=YES Used the pf.conf file from the FAQ (http://www.openbsd.org/faq/pf/example1.html). Except my internal is xl0 and my external is rl0. rl0 gets its IP dynamically. My network looks exactly like the one in the FAQ (http://www.openbsd.org/faq/pf/example1.html). I can ping www.google.com from the firewall. But I cannot ping www.google.com from any computers on the internal network. First, does the pf.conf in the FAQ route DNS requests from the internal network? Second, if not would someone suggest a rule to accomplish that, so that DNS can be handled by my ISP? I've tried a couple of rdr/pass combinations. But no luck. Hell, I'm not even sure any rdr/pass combinations are requireddoesn't seem like it. Thanks and take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
